Does DKIM verify smtp/envelope-from or the mail/header from? [closed]

Question

I want to understand the SPF/DKIM/DMARC Stack for authenticating e-mails.

I understand that SPF works on the SMTP "mail from"/ envelope-from.

But even on stackoverflow itself, I find contradictory information about if DKIM works on the envelope-from or the actual SMTP Payload/Email/Header-From.

Answer 1

Short answer...

SPF validates the envelope against a sending IP address, DKIM validates a message payload, DMARC ties the two together and indicates a desired treatment when either fails.

Longer answer...

DKIM is applied to an authored message at the sending server, using private keys, and is then verified by a receiving server using public keys via DNS.

The DKIM spec allows signers to choose which header fields they sign, but the From: field must always be signed, along with a specified length (which may be zero) of the body, and so may at the authors whim include body and / or attachments at the end of the message payload.

DKIM is independent of SMTP routing in that it operates on the RFC 5322 message — ie the transported mail's header and body — not the SMTP envelope defined in RFC 5321. So the DKIM signature survives basic relaying across multiple MTAs.

DKIM allows the signer to convey which email content it considers legitimate, in a strict or relaxed fashion. In this way a signer can warrant some key content whilst allowing an element of trivial rewriting of whitespace and header wrapping. It does not directly prevent or disclose attempted abuse, but can be used forensically by a receiving server to validate content to the degree allowed by the signer.

SPF is published in DNS, and is tested by a receiving server.

The SPF spec allows a domain's DNS to warrant which sending IPs, and other mechanisms which resolve to IPs, are allowed / forbidden to be the sending source of emails for the domain. It is only tested against the SMTP envelope defined in RFC 5321, using either the MAIL FROM or HELO values.

DMARC is a policy published in DNS for a domain, and is verified by the receiving server.

It allows the sending domain to monitor abuse via reports from compliant receiving servers, and to indicate how any SPF or DKIM failures should be treated. Furthermore it can be used to align the domains found in both SPF and DKIM, and is used to identify abuse when both SPF and DKIM pass, but each uses different domains.